Texas A&M UniversityTechnology Services

Search this Site

Texas A&M University | Technology Services
Texas A&M UniversityTechnology Services
Responding to Assessment Findings

Risk Remediation

Transforming assessment findings into actionable improvements through corrective action plans and risk management decisions to strengthen the university's security posture.

How Assessment Findings Are Identified

The information technology (IT) risk assessment process evaluates compliance with IT security requirements (also called IT security measures) that come from the university IT security controls catalog and IT related Standard Administrative Procedures which are required per the State of Texas and the Texas A&M System. The IT security requirements are based on industry best practices which help reduce the risk of compromise to university IT resources and data. Through the process, areas of non-compliance (or compliance gaps) are identified and documented as a “finding”. 

This is done by relating the questions within the IT risk assessments with specific university IT security requirements. The results from a completed IT risk assessment are reconciled with the applicable university IT security requirements for the information resource. Answer choices that do not meet the minimum requirement for meeting compliance are flagged as a finding.

What Happens When a Finding is Identified?

The unit or individual responsible for that information resource must then formally respond to the finding(s). 

This is where a solid IT risk management strategy becomes important since units have finite resources (time, personnel, budget, etc.) and competing priorities. The responses become the unit’s road map for what needs to be corrected moving forward to improve compliance to reduce the risks associated with the compliance gap.

Responding to Findings

There are generally two ways to respond to a finding:

1. Corrective Action Plan

The unit develops a plan detailing how they will work to bring the information resource into compliance with the related university IT security requirement. This plan should include:

  • Specific actions/tasks to be taken. 
  • Who will be responsible for the overall completion of the corrective action plan. 
  • A due date for when all actions/tasks are expected to be completed..
  • Optional:
    • Identification of resources needed (e.g., funding, personnel time, new tools).
    • Identification of possible restraints/roadblocks that may prevent the actions/tasks from being completed.

This plan functions similarly to a "Plan of Action and Milestones" (POA&M), documenting the path toward remediation.

2. Risk Management Decision

In some situations, achieving partial or full compliance is not feasible (e.g.,technical constraints, prohibitive costs, etc.). In such cases, the unit will need to formally accept the associated finding. This requires:

  • A clear justification for maintaining current levels of non-compliance with the related IT security requirement..
  • Compensating controls used to mitigate the risk(s) associated with non-compliance with the related IT security requirement.
  • The business impact of the information resource.
  • Approval from appropriate leadership. 

Last Modified: August 14, 2025